Title:  ZombieLoad: Cross-Privilege-Boundary Data Sampling

Abstract:
In early 2018, Meltdown first showed how to read arbitrary kernel memory from user space by exploiting side-effects
from transient instructions. While this attack has been mitigated through stronger isolation boundaries between user
and kernel space, Meltdown inspired an entirely new class of fault-driven transient execution attacks. Particularly,
over the past year, Meltdown-type attacks have been extended to not only leak data from the L1 cache but also from
various other microarchitectural structures, including the FPU register file and store buffer.

In this paper, we present the ZombieLoad attack which uncovers a novel Meltdown-type effect in the processor's previously
unexplored fill-buffer logic. Our analysis shows that faulting load instructions (i.e., loads that have to be re-issued for either
architectural or microarchitectural reasons) may transiently dereference unauthorized destinations previously brought into
the fill buffer by the current or a sibling logical CPU. Hence, we report data leakage of recently loaded stale values across
logical cores. We demonstrate ZombieLoad's effectiveness in a multitude of practical attack scenarios across CPU privilege
rings, OS processes, virtual machines, and SGX enclaves. We discuss both short and long-term mitigation approaches and
arrive at the conclusion that disabling hyperthreading is the only possible workaround to prevent this extremely powerful attack
on current processors.